---
# Define resources for this group of hosts here.
csi_primary_contact: sysadmin-main admin@fedoraproject.org
csi_purpose: SSH proxy to access infrastructure not exposed to the web
csi_relationship: |
  - Provides ssh access to all iad2/vpn connected servers.
  - Bastion is the hub for all infrastructure's VPN connections.
  - All incoming SMTP from iad2 and VPN, as well as outgoing SMTP,
    pass or are filtered here.
  - Bastion does not accept any mail outside phx2/vpn.
# These variables are pushed into /etc/system_identification by the base role.
# Groups and individual hosts should override them with specific info.
# See http://infrastructure.fedoraproject.org/csi/security-policy/
csi_security_category: High
#
# drop incoming traffic from less trusted vpn hosts
# allow ntp from internal RH 10 nets
#
custom_rules: ['-A INPUT -s 192.168.100/24 -j REJECT --reject-with icmp-host-prohibited', '-A INPUT -s 10.0.0.0/8 -p udp -m udp --dport 123 -j ACCEPT']
#
# Set this to get fasclient cron to make the aliases file
#
fas_aliases: true
#
# Set this to get fasjson-client cron to make the aliases file
#
fasjson_aliases: false
fasjson_url: https://fasjson.fedoraproject.org/
ipa_client_shell_groups:
  - pungi-devel
  - sysadmin-analysis
  - sysadmin-dba
  - sysadmin-ppc
  - sysadmin-secondary
  - sysadmin-spin
  - sysadmin-troubleshoot
  - sysadmin-qa
  - sysadmin-kernel
ipa_client_shell_groups_inherit_from:
  - batcave
# allow a bunch of sysadmin groups here so they can access internal stuff
ipa_host_group: bastion
ipa_host_group_desc: Bastion hosts
lvm_size: 20000
mem_size: 8192
nagios_Check_Services:
  mail: false
  nrpe: true
nrpe_procs_crit: 1200
#
# Sometimes there are lots of postfix processes
#
nrpe_procs_warn: 1100
num_cpus: 4
#
# This is a postfix gateway. This will pick up gateway postfix config in base
#
postfix_group: gateway
postfix_transport_filename: transports.gateway
primary_auth_source: ipa
#
# allow incoming openvpn and smtp
#
tcp_ports: [22, 25, 1194]
udp_ports: [1194]
